As a result of a massive ransomware attack on the Costa Rican government in April, the U.S. government issued a notice last week announcing a reward, potentially worth millions of dollars, for people involved in the Conti ransomware used in hacking. Rodrigo Chavez Robles, the recently sworn in president of Costa Rica, has declared a national state of emergency over the attack, according to CyberScoop.
According to BleepingComputer, the ransomware attack affected Costa Rica’s Ministries of Finance and Labor and Social Security, as well as the country’s Social Development and Family Assistance Fund, among other entities. The report also said the attack affected some services from the country’s treasury, starting on April 18th. According to hackers, not only have some of the government systems been taken down, but data is also leaking CyberScoopwhich notes that almost 700 GB of data has made its way to the Conti website.
The US State Department says the attack “seriously affected the country’s foreign trade by disrupting its customs and tax platforms” and offered “up to $ 10 million for information leading to the identification and / or location” of organizers behind Conti. The U.S. government is also offering $ 5 million for information “leading to the arrest and / or conviction of any person in any country conspiring to participate or attempting to participate” in a Conti-based ransom attack.
Last year, the United States offered similar awards to REvil and DarkSide (the group behind the Colonial Pipeline attack). It is widely believed that REvil does not exist after the United States reportedly hacked the group’s servers, and the Russian government claims to have arrested several members.
The Costa Rican government is not the only organization to fall victim to Conti’s buyout software. Like Krebs for security notes that the group is particularly known for targeting healthcare facilities such as hospitals and research centers.
The gang is also known for leaking its chat diaries after announcing its full support for the Russian government shortly after the invasion of Ukraine began. According to CNBC, these logs show that the group behind the ransomware itself has organizational problems – people are not paid and arrests occur. However, like many ransomware operators, the actual software has also been used by “related parties” or other entities that have used it to carry out their own attacks.
In the case of Costa Rica, the attacker claims to be one of those affiliates and says they are not part of a larger team or government, according to a statement released by CyberScoop. However, they threatened to carry out “more serious” attacks, calling Costa Rica a “demo version”.